Computing device users may use local and online accounts to access various computing resources. Users may seek access to their accounts from different devices and may also share devices to access respective accounts. Authentication of users to prove the users “are who they say they are”, differentiate between users, and provide selective access to computing resources is a persistent challenge faced by service providers. Traditionally, authentication techniques may rely upon shared secrets such as passwords and/or digital tokens (e.g. ticket granting tickets TGTs, encrypted blobs, cookies, or other sign-on credentials). However, shared secrets and digital tokens can be stolen or compromised. Moreover, traditional tokens may include both identity and privilege data such that possession of a valid digital token (even if stolen) is sufficient to gain access to corresponding resources by presenting the token to a service provider. Thus, although shared secret based authentication techniques may be effective, there are some drawbacks associated with existing techniques.